One month after MOVEit: New vulnerabilities found as more victims are named

Although much of the initial panic surrounding the late-May breach of Progress Software’s MOVEit file transfer tool has subsided, Clop – the ransomware operation behind the attack – continues to leak victims’ details. Pertinently for security teams on the frontline, Progress itself continues to disclose more vulnerabilities in the product, some of which appear to be under active exploitation.

On 6 July, Progress released the first in a planned series of service packs for MOVEit Transfer and MOVEit Automation, designed to provide a “predictable, simple and transparent process for product and security fixes.”

The pack contains fixes for three newly-disclosed CVEs. In numerical order, these are:

  • CVE-2023-36932, multiple SQL injection vulnerabilities in the MOVEit Transfer web app that could allow an authenticated attacker access to the MOVEit Transfer database, credited to cchav3z of HackerOne, Nicolas Zillo of CrowdStrike, and hoangha2, hoangnx and duongdpt (Q5Ca) of Viettel Cyber Security’s VCSLAB;
  • CVE-2023-36933, a vulnerability that enables an attacker to invoke a method that results in an unhandled exception, causing MOVEit Transfer to quit unexpectedly, credited to jameshorseman of HackerOne;
  • CVE-2023-36934, another SQL injection vulnerability with a similar impact to the first, credited to Guy Lederfein of Trend Micro via the Zero Day Initiative.

Christopher Budd, Sophos X-Ops director of threat research, said that Sophos released detections for intrusion prevention system (IPS) signatures for its products earlier this week, and for at least one of the flaws, has seen “some very limited evidence” of exploitation.

“What this means is if you’re a MOVEit customer and you haven’t applied that service pack, even if you deployed the previously released patches, you need to get that service pack deployed as well,” he told Computer Weekly.

Budd added that he has observed before how, when one high-profile vulnerability is disclosed, attacked and fixed, people think they are now protected and their attention starts to wane, even if other vulnerability disclosures follow, which they often do.

“They think, okay, well, I applied the patch a month and a half ago so I’m done, it’s fine. And that’s not the case,” he said.

“The good news is there’s no indication that this new [flaw] that we’ve seen evidence of attacks against is widespread, but the fact that people are apparently starting to target it means that’s the next wave.

“It’s important for people to try to get ahead of that wave and be sure they apply not just the patches that have been released, but the service pack that brings them fully up to date. If you haven’t applied that service pack, today is a good day to do so.”

Budd said there was not yet enough evidence to attribute this latest malicious activity to Clop or any other threat actor, but noted that the mere fact that there is any evidence of exploitation at all suggests there may be more to come.

He also advised users of any file transfer product – not just MOVEit – to adopt a state of heightened alert, Clop having historically favoured vulnerabilities in such tools. He noted that in many organisations, file transfer utilities are often used on an ad hoc basis by people who have not cleared it with the IT or security teams – so-called shadow IT – so even if security professionals do not believe their organisations are exposed, they should still look into the matter as they may find something surprising.

Intense times

The initial MOVEit incident has now claimed close to 300 victims and has likely affected the data of at least 17 million people. Victims are to be found all over the world, although the highest numbers are now in the US, with over 190 confirmed, Germany with 28, Canada with 21 and the UK with 17 – notably the BBC, Boots and British Airways, which were some of the first named victims in June.

Some of the most recent organisations “named and shamed” by the Clop ransomware operation include real estate firm Jones Lang LaSalle, hotel chain Radisson, and GPS specialist TomTom.

Candidly, a lot of people are just overwhelmed – victims, law enforcement, response companies. It’s been pretty intense
Charles Carmakal, Mandiant

Charles Carmakal, CTO at the consulting business of Google Cloud-owned Mandiant, who has been deeply involved in incident response following the MOVEit attacks, said: “There are so many victims that are impacted by MOVEit, either directly or indirectly, that it’s been really impactful and it’s keeping a lot of people busy. Candidly, a lot of people are just overwhelmed – victims, law enforcement, response companies. It’s been pretty intense.”

The MOVEit incident has been particularly notable for the fact that Clop never deployed actual ransomware and no victims appear to have been affected by data encryption – merely data theft and extortion.

Carmakal explained that in their perfect scenario, a gang like Clop would prefer to be able to use encryption to exert so much pressure that their victims feel there is no alternative but to pay. However, thinking about the MOVEit attack from Clop’s perspective, given the number of vulnerable organisations and the need to hit as many as possible before the initial zero-day was made public, it likely made more sense to just conduct smash-and-grab raids.

The [previous] campaign against Forta GoAnywhere was very lucrative for [Clop],” he said. “I know a lot of victim organisations paid. I think they felt that to be stealing data and only stealing data they would make a lot of money.”

Carmakal said a lot of MOVEit victims have paid, but equally a great many have not, although Budd said that Sophos has observed no payments among victims it has worked with.

Clop is also facing challenges itself. “They’re a small team,” said Carmakal. “It’s hard for a big team to handle this much data, so for a small team to handle this much data, many victims and all the infrastructure they have had to set up to host the volume of data that they’ve stolen – it’s got to be tough.

“They are making some mistakes and will likely make more. One of the things we are advising our clients is there are certain rules that this group abides by – they do things in a certain way – but the caveat is that this time things may be a little different because the threat actors overwhelmed themselves. There could be a number of reasons for the actor to do things that may not be intended or might be accidental, but that’s just a byproduct of them being overwhelmed by the sheer volume of data they have and the number of victims they have.”

One very notable difference observed is the fact that instead of reaching out directly to their victims, Clop asked victims to reach out to it, something that has not really been seen before and may be read as an indication that someone, somewhere, is trying to lighten their workload. The fact that English is not the gang’s first language is also likely complicating things.